Prevent ERP Security Breaches by Training Employees on These Best Practices

By: on November 5, 2018

Humans are fallible beings. Pobody’s nerfect, right?

Sometimes when we mess up, it’s not a big deal; you identify the problem, learn from it and move on. But other times, our mistakes carry far-reaching and long-lasting consequences, especially when handling (or mishandling) critical business information—like, say, the data found in an ERP system.

ERP users are gatekeepers of the most highly sensitive company data, such as corporate financials and the personally identifiable information of employees and customers—the stuff cybercriminals can’t wait to get their grubby little hands on. But many users aren’t adequately trained on how to reduce these risks, jeopardizing the security of the system, its data and the business as a whole.

If businesses train ERP users on the following best practices, they will reduce security breaches by more than 50 percent and minimize the damage to their most critical business data.

Train Employees on These Security Hygiene Best Practices

Like mouthwash for your ERP, security hygiene is one of the best lines of defense against those who seek to infect your business. When training your employees upon implementing an ERP system, focus on communicating the following security best practices:

Perform Regular Software Updates

When a developer releases a software update, train your users and system administrators to install it as soon as possible. Most updates address critical security issues identified by the developer, offering a reliable and consistent way to combat the latest known threats to your system.

Require Strong, Complex Passwords

System administrators should require all users to continually update their passwords, which should be at least eight characters and include a mix of uppercase letters, lowercase letters and symbols. Password management software is an increasingly popular solution for password generation and storage, and even most web browsers now include built-in password solutions—an attractive option for cloud-based ERP systems.

Utilize Multifactor Authentication

In the event that a password is compromised, multifactor authentication (aka two-factor or two-step authentication) can ensure that only the authorized user can access the account. It does this by requiring confirmation from a second location, usually a cell phone or email address, to offer a second line of defense against intruders. Businesses should integrate multifactor authentication into their routine security protocol whenever possible.

Install Anti-malware Software

There’s no shortage of security software out there (compare products here), making it easier to find the solution that best suits the needs of your business. Some vendors are building recent industry advancements, like password generators and multifactor authentication, into their software, making it easier for businesses to not only detect malicious activity on their machines, but to prevent it from happening altogether.

Ensure ERP Data Recovery With Frequent System Backups

What’s worse than someone hacking your ERP system? Someone hacking your ERP system and then losing all your data. ERPs bring together a variety of business units, housing the most critical business data like company financials and personally identifiable information of clients and employees.

Losing all that data after a security breach will almost certainly devastate a small or midsize business (SMB). But routinely backing up your data—every day, at the least—will significantly soften the blow.

Encrypt Your Data to Shield It From Unauthorized Use

If a cybercriminal were to get their hands on your business data, it could spell trouble—unless said data is encrypted, in which case, good luck, cybercriminal! Encryption translates your data in a way that is virtually indecipherable to the average human hacker. This last line of defense against an ERP intruder is arguably the most vital, ensuring that even if someone acquired the data they so crave, they can’t do anything with it.

When Training Isn’t Enough: The Detect-and-Respond Approach to Threat Management

A 2015 report by Mandiant found that, on average, 205 days passed between malware being placed on a system, and detection of that malware. That’s more than six months! This gives hackers plenty of time to purge your most sensitive business data—even with their eyes closed.

Obviously, the ideal scenario is to prevent them from penetrating your system in the first place. But if it does happen (and it probably will, at some point), you absolutely must have a plan in place. Establishing your detect-and-respond protocol during the training process is thereby essential to the security and welfare of your business.

A 2017 Gartner study predicts that, by 2020, more than half of enterprise information security budgets will go toward detect-and-respond approaches, compared to less than 20 percent in 2015.

This approach stands in contrast to, though not as a replacement for, the security hygiene and data protection methods listed above, and ought to be included as part of your business’s comprehensive ERP security training curriculum.

The detect-and-respond approach is just what it sounds like: pinpointing the source and location of an attack, addressing it in a timely and effective manner, and taking the steps necessary to ensure it doesn’t happen again.

Use the following checklist to keep users informed on how to appropriately respond once a threat is identified:

detect-and-respond erp security checklist

What Should You Do Now?

Before finalizing your SMB’s ERP security training protocol, here are some things you can do to prepare:

  • Assess the unique strengths and learning styles of your team members and establish a training regimen to best instill these concepts.
  • Draft a training document that adapts the best practices above to the specific features of your ERP system.
  • Read this article about specific ERP security threats—and how to stop them.
  • Talk to your ERP vendor about any known security issues or vulnerabilities that you should be aware of.

Done all that and still need some direction?

Browse our list of ERP software vendors to make sure your system has the security features you need. You can also give us a call at (844) 686-5616; our software advisors are ready to help you find the right ERP system for your business with a free 15-minute phone consultation.

You may also like:

EHR Security Measures, Explained (Or: How I Learned to Stop Worrying and Love the Software)

Key Criteria For ERP Software Selection

5 ERP Security Threats You Can Stop Right Now

Compare ERP Software